wordpress

Security in WordPress: Are you still showing YOUR plugins?

Posted by

Michael Kwan’s blog was recently hacked by a clever hacker who managed to hide his visit neatly. Michael will tell you all about the story at his blog. This event plus a couple of other events has got me thinking about blog security . I’ll be doing a fuller post on my own experiences, ideas and suggestions.

It’s going to be a long post, so it will take some time to put all the pieces together. In the meantime, why don’t you sign up for my feed… so you don’t miss it!

——-
For more interesting articles on running a business, making money, operating your blog, , and so on…, subscribe to the RSS feed or email newsletter. There’s a lot more in the Random Walk to Wealth on InvestorBlogger dot com.
——-

Apart from the obvious tactics of keeping your blog software, themes, and plugins uptodate, several bloggers have suggested ways to make it more difficult to find out which version of the blog platform, and which plugins, you are actually running.

The typical solution is to add a blank html file to the /wp-content/plugins/ directory which will show a blank page, or in John Cow’s case a Moo! But I was surprised to learn that this technique fails to stop an easy way around this. It is possible to discover quite easily any plugin that you can guess is installed and retrieve the directory listing for that plugin even though the higher level directory is masked. Take a gander:

johchow

(This image was taken from one of my other blogs with the WP-Cache plugin installed and active.)

I found the directory for the wp-cache folder for another blogger who had otherwised masked his plugins directory with the standard blank HTML file. Unfortunately, a determined hacker will be able to figure out which plugins you likely have, rifle your directory of files to see which files exist in the subdirectory of plugins, and perhaps hack your blog… I could see the contents of this wp-cache directory, plus all the other ones I knew this blogger to have been using. Mmm! I didn’t think that was particularly secure.

What alternatives are there?

Standard .htaccess

Yes, you could simply use an ‘htaccess’ file to secure the plugins from display but you would have to manually write and upload the file to each and every plugin directory that you already have. This could be done more than ten times on my blog, I think. It would look something like this:

Redirect 301 /index.html http://www.your-domain.com/
Redirect 301 /index.htm http://www.your-domain.com/
Redirect 301 /index.php http://www.your-domain.com/

But I realized that with the most commonly suggested solution to prevent viewing plugins, namely a 301 redirect, it is still possible to view the contents of any directory of any plugin below the directory in which the htaccess file is placed. So even if you place the htaccess in the directory of any particular plugin, some plugins also contain subdirectories (for images, etc.) that will still be visible. Tiring work…, so…

IndexIgnore

If you have a lot of directories in the plugins folder, the simple and easy solution is to create an htaccess file with the following command: “IndexIgnore *” and place it in the /wp-content/plugins folder. This should prevent anyone seeing the listing in that folder or any folders below that level. It generates an error like this:

investorblogger

It’s not very pretty but it’s effective so browsers won’t display the contents. It could also be an opportunity wasted. Why?

HTML file

The standard blank HTML file mentioned above looks something like this:

<HTML>
<HEAD>
<TITLE>Blank Page</TITLE>
<META HTTP-EQUIV=”Content-Type” CONTENT=”text/html; charset=utf-8″>
</HEAD>
<BODY>
</BODY>
</HTML>

Then Michael Kwan suggested adapting it to a page redirect in a chat we were having. He wrote: “…i’m thinking that it’s also possible to do a index.php and then put in a redirect… if you keep this file handy then you can upload it each time you install a new plug-in…” I began to think: What a good way to turn a problem into an advantage! I’m using an HTML file, though, not a PHP file.

The blank HTML file doesn’t show anything, and inadvertent visitors will not know what’s wrong. And the 404’s only show that a page was not found. So why waste the opportunity? I’ve adapted some simple code that I use, and it should work a treat. I would like to attribute this code, but I can’t remember where it came from!

Page Redirect

With this page redirect, it’s easy to redirect visitors quickly and conveniently to the most recent posting or indeed any specific page you want:

<html>
<head>
<title>Your Domain</title>
<meta name=”robots” content=”noindex,nofollow”>
<script>window.location=http://www.yourdomain.com;</script>
<meta http-equiv=”refresh” content=”1; url=http://www.yourdomain.com“>
</head>
<body>
<p align=”center”>You are going to Your Domain Name now…
<br>If the page does load after 5 seconds or if you are (like me) impatient,
<a href=”http://www.yourdomain.com“>just click here</a>.</p>
</body>
</html>

The only downside is that you’d have to add this to every plugin directory the first time. But you could easily keep a copy somewhere and copy it to any subsequent plugin directory before you upload the plugin.

Thanks to Michael Kwan, and others for providing information that helped to write this blog. I’d appreciate any updates on security, so just drop me a line, especially if I got something wrong.

(Post edited for language, clarifications, and so on.)

WordPress 2.3.3 Security Upgrade: A simple upgrade technique

Posted by

5

Today’s announcement of an insecurity in WordPress 2.3.2 may have spooked a few people:

WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. … If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php.

I have already applied the patch the blog, to ease my mind. To apply the patch, I’d recommend the following five steps:

  • Step 1: Download the patch directly from WordPress.org.
  • Step 2: FTP to your account and login.
  • Step 3: Find the xmlrpc.php file in the /yourblog.com folder and rename it as xmlrpc.old.
  • Step 4: Upload the new file to the same folder.
  • Step 5: Once everything’s working, move the file to the root of your FTP User account out of harm’s way.
  • (If things go wrong: rename the new file you just uploaded as xmlrpc.new. Then rename the xmlrpc.old as xmlrpc.php until you can fix the problem. Of course, this is a good technique but the patch is a SECURITY patch, so you really OUGHT to upgrade the xmlrpc.php to the latest one.

If you’re ever upgrading plugins or even themes, renaming a current file or directory as *.old is a good way to give you a Plan B, just in case things go wrong when you install the new theme or plugin or file. You can simply revert to the old versions, provided you haven’t updated the database. CAUTION in upgrading is ALWAYS advised.

And, just in case you think hacking can’t happen to you, read several postings on MattCutts blog about his true but less severe hacking. There’s also a post on John Cow’s blog that got me thinking about this issue.

If you know any other great posts about blog security, do add them in the comments!

Newsbytes: Blog Announcement, WordPress Problems, Money Manager Ex, and Goog Stock Price

Posted by

Well, this Tuesday’s newbytes brings updates on the latest ongoings on InvestorBlogger dot com.

But first some recent stories that you may have missed:

New Blog or Two: MakingREALMoneyBlog is the new home for the Carnival of Making Real Money. It will be hosted on a WordPress install with all the usual plugins, that I like to use: BlogRoll Page, All-in-One SEO Pack, Feed Footer, XML Sitemaps, Lighter Admin Drop Menus, obsocialbookmarker, PXS Mailform, SRG Archives, Spam Karma II, and Related Posts. Plus one or two others that I haven’t activated yet. But…

BUGGY WordPress: … some new installs of WordPress are BU G G Y… Yep, the visual editor bar refuses to show up at all on some of my newer sites… Here’s a glimpse, I’m still trying to find out what is causing the problem, but it wasted a lot of time last night, so I’ll be using the code version for most posting until I can find the cause. I will also use BlogDesk.

wonky wordpress

Where did the WordPress Icons go…? It seems nobody knows. There are as many reasons and solutions as there are angels on the head of a pin. I can’t figure out what’s wrong at all. So I moved the whole domain from the original user to another that was okay, and hosted a WordPress Blog without these problems. And voila! It worked… so here goes… Problem finally solved. Now I’ve just got to move ALL those plugins. The technical explanation is: I think the original ‘user’ was jinxed somehow: I had problems setting up WordPress, with faulty permissions, etc.. so I’m just glad that it works now. 😀

Money Manager Ex: Here’s an interesting and open-source alternative to MS Money or Quicken: it’s called Money Manager Ex.

homess

It seems to offer a lot of flexibility, features and charts. It may not be the level of MS Money, but then I never cared for that, it should allow users to begin or learn how to use a Money Managing Program. I have installed it on my PC at home, and I’m wondering about whether it can be used for a USB Key as well. Anything to make my life a little easier!

Clearing out Google: I’ve now removed the nice little screenshow from Picasa from the blog. It was quite an attractive element and added some visual punch, but I moved all the pictures to Flickr as part of my campaign against Google. I’m about to add a Flickr plugin soon, once I find one. Any suggestions?

Out of the nine original Google services I identified as using, I have already dropped three from InvestorBlogger: Picasa, Reader (except for the marketing of this blog!), and Adsense. I’m working on YouTube as a User, and still have to download seven of my nine movies. I definitely prefer to host the movies on my own websites, esp. as YouTube is a PR hole, it sucks links and users and never returns them.

Adsense: is it becoming Add-non-Sense

And last but not least, John Chow writes in his recent post about Google’s raft of changes to its Adsense program:

My gut feeling tells me that Google revenues are down and that they’re doing everything possible to post a good quarterly report, even if that means taking it from the affiliates who help them build their business.

This could be true for a number of reasons: the screws are much tighter on revenue and payouts to affiliates; Google is a PUBLIC company now and needs to march to Wall Street’s beat; the US economy is entering a Recession for many reasons (Oil, housing, inflation, interest rates, jobs, …); AND Google has been trampling on the very webmasters that made it is what it is today.

GOOG: Going down – Can you spell F A S T?

In the last six months, they have lost a ton of goodwill among webmasters for Adsense, PR, affiliates, etc., not to mention publishers, newspapers, mobile phone providers, writers, advertisers… I wouldn’t be buying Google stock at these prices. The stock is due for a huge fall even though it is down more than 20% from its highs just a few months ago. Hope you dumped your stock in the run up in early November.

goog

Guest Bloggers? Interested? SIGN UP!

I’ve decided to open this blog to guest posting… so if you’d like to post something, drop by, register and write away. I can’t promise I’ll publish it, but if it’s a good fit, I will!

And last, apologies for not posting yesterday afternoon as usual, but I was exhausted in the evening… 😉